b'\x0c\x0c\x0c   \xe2\x80\xa2   The designated security officer for CBIS conducted a self-assessment of the system in\n       September 2010.\n   \xe2\x80\xa2   A contingency plan was developed and tested for CBIS in March 2010 in compliance\n       with NIST SP 800-34.\n\nHowever, we noted the following opportunities for improvement in the CBIS security program:\n   \xe2\x80\xa2   The CBIS Privacy Impact Assessment (PIA) was not conducted in full compliance with\n       the requirements of OPM\xe2\x80\x99s PIA Guide and the Office of Management and Budget\n       (OMB) Memorandum M-03-22.\n   \xe2\x80\xa2   The CBIS POA&M does not contain all known security weaknesses as required by the\n       OPM POA&M Guide.\n   \xe2\x80\xa2   The OIG independently tested 28 of the NIST 800-53 controls for CBIS and found that 7\n       of these security controls were not in place during the fieldwork phase of the audit.\n\nIn addition to the weaknesses outlined above, we noted a significant deficiency in the Office of\nthe Chief Financial Officer\xe2\x80\x99s (OCFO) ability to manage segregation of duties within the CBIS\napplication. The OCFO developed a segregation of duties policy, but the application did not\nhave the technical settings in place to enforce these rules. In addition, the OCFO indicated that\nthey did not have a firm understanding of the roles that should be segregated within the\napplication and that the existing segregation of duties policy was not accurate.\n\n\n\n\n                                                ii\n\x0c                                                                 Contents\n                                                                                                                                               Page\n\nExecutive Summary ......................................................................................................................... i\nIntroduction ......................................................................................................................................1\nBackground ......................................................................................................................................1\nObjectives ........................................................................................................................................1\nScope and Methodology ..................................................................................................................2\nCompliance with Laws and Regulations..........................................................................................3\nResults ..............................................................................................................................................4\n         I. Certification and Accreditation Statement ........................................................................ 4\n        II. FIPS 199 Analysis ............................................................................................................ 4\n       III. Information System Security Plan.................................................................................... 4\n      IV. Risk Assessment............................................................................................................... 5\n        V. Independent Security Control Testing.............................................................................. 6\n      VI. Security Control Self-Assessment .................................................................................... 6\n     VII. Contingency Planning and Contingency Plan Testing ..................................................... 6\n   VIII. Privacy Impact Assessment ............................................................................................... 7\n      IX. Plan of Action and Milestones Process ............................................................................. 8\n       X. NIST SP 800-53 Evaluation .............................................................................................. 9\nMajor Contributors to this Report ..................................................................................................20\nAppendix: Office of the Chief Financial Officer February 8, 2011 response to the draft audit\nreport, issued January 18, 2011.\n\x0c                                        Introduction\nOn December 17, 2002, President Bush signed into law the E-Government Act (P.L. 107-347),\nwhich includes Title III, the Federal Information Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency\nreporting to the Office of Management and Budget (OMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress summarizing the material\nreceived from agencies. In accordance with FISMA, we evaluated the information technology\n(IT) security controls related to the Office of Personnel Management\xe2\x80\x99s (OPM) Consolidated\nBusiness Information System (CBIS).\n\n                                        Background\nCBIS is one of OPM\xe2\x80\x99s 43 critical IT systems. As such, FISMA requires that the Office of the\nInspector General (OIG) perform an audit of IT security controls of this system, as well as all of\nthe agency\xe2\x80\x99s systems on a rotating basis.\n\nThe Office of the Chief Financial Officer (OCFO) has been designated with ownership of CBIS.\nCBIS aids in OPM\xe2\x80\x99s management of the agency\xe2\x80\x99s financial resources. CBIS provides\nfunctionality for OPM\xe2\x80\x99s general ledger, accounts payable, accounts receivable, purchasing,\nprocurement, budgeting, and other financial resources management. OPM\xe2\x80\x99s Center for Financial\nServices within the OCFO is responsible for the CBIS system. The OPM OCFO has retained\nAccenture to implement, host, and operate CBIS.\n\nIn 2009, the OIG conducted an audit of the system development and implementation of CBIS.\nAs part of this current audit, we followed up on prior audit recommendations related to CBIS IT\nsecurity. One audit recommendation from the 2009 report is reissued in this report (see\nRecommendation 1).\n\nWe discussed the results of our audit with OCFO representatives at an exit conference.\n\n                                          Objectives\nOur objective was to perform an evaluation of security controls for CBIS to ensure that OCFO\nofficials have implemented IT security policies and procedures in accordance with standards\nestablished by OPM, FISMA, and the National Institute of Standards and Technology (NIST).\n\nOPM\xe2\x80\x99s IT security policies require managers of all major information systems to complete a\nseries of steps to (1) certify that their system\xe2\x80\x99s information is adequately protected and (2)\nauthorize the system for operations. The overall audit objective was accomplished by reviewing\nthe degree to which a variety of security program elements have been implemented for CBIS,\nincluding:\n\xe2\x80\xa2   Certification and Accreditation Statement;\n\xe2\x80\xa2   FIPS 199 Analysis;\n\xe2\x80\xa2   Information System Security Plan;\n\xe2\x80\xa2   Risk Assessment;\n                                                 1\n\x0c\xe2\x80\xa2   Independent Security Control Testing;\n\xe2\x80\xa2   Security Control Self-Assessment;\n\xe2\x80\xa2   Contingency Planning and Contingency Plan Testing;\n\xe2\x80\xa2   Privacy Impact Assessment;\n\xe2\x80\xa2   Plan of Action and Milestones Process; and\n\xe2\x80\xa2   NIST Special Publication (SP) 800-53 Security Controls.\n\n                                Scope and Methodology\nThis performance audit was conducted in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts of OCFO officials\nresponsible for CBIS, including IT security controls in place as of January 2011.\n\nWe considered the CBIS internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objective, we interviewed representatives of OPM\xe2\x80\x99s OCFO office and\nAccenture officials with CBIS security responsibilities. We reviewed relevant OPM IT policies\nand procedures, federal laws, OMB policies and guidance, and NIST guidance. As appropriate,\nwe conducted compliance tests to determine the extent to which established controls and\nprocedures are functioning as required.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of CBIS\nare located in the \xe2\x80\x9cResults\xe2\x80\x9d section of this report. Since our audit would not necessarily disclose\nall significant matters in the internal control structure, we do not express an opinion on CBIS\xe2\x80\x99s\nsystem of internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\n\xe2\x80\xa2   OPM Information Technology Security Policy Volumes 1 and 2;\n\xe2\x80\xa2   OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2   E-Government Act of 2002 (P.L. 107-347), Title III, Federal Information Security\n    Management Act of 2002;\n\xe2\x80\xa2   NIST SP 800-12, An Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n    Information Systems;\n\xe2\x80\xa2   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n    Systems;\n\n                                                 2\n\x0c\xe2\x80\xa2   NIST SP 800-60 Volume II, Guide for Mapping Types of Information and Information\n    Systems to Security Categories;\n\xe2\x80\xa2   Federal Information Processing Standard Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems; and\n\xe2\x80\xa2   Other criteria as appropriate.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nThe audit was performed by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. The audit was conducted from November 2010\nthrough January 2011 in OPM\xe2\x80\x99s Washington, D.C. office.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether OCFO\xe2\x80\x99s management of CBIS\nis consistent with applicable standards. Nothing came to the OIG\xe2\x80\x99s attention during this review\nto indicate that the OCFO is in violation of relevant laws and regulations.\n\n\n\n\n                                               3\n\x0c                                              Results\n I. Certification and Accreditation Statement\n    A security certification and accreditation (C&A) of CBIS was completed in September 2009.\n\n    NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n    Information Systems, provides guidance to federal agencies in meeting security accreditation\n    requirements. The CBIS C&A appears to have been conducted in compliance with NIST\n    guidance.\n\n    The U.S. Department of Transportation\xe2\x80\x99s Enterprise Service Center (ESC) was contracted by\n    the OCFO to prepare the C&A package for CBIS. OPM\xe2\x80\x99s Senior Agency Information\n    Security Officer reviewed the CBIS C&A package and signed the system\xe2\x80\x99s certification\n    package on September 17, 2009. The system\xe2\x80\x99s Designated Accrediting Authority (OPM\xe2\x80\x99s\n    Chief Information Officer) signed the accreditation statement and authorized the operation of\n    the system on September 17, 2009.\n\nII. FIPS 199 Analysis\n    Federal Information Processing Standards (FIPS) Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems, requires federal agencies to\n    categorize all federal information and information systems in order to provide appropriate\n    levels of information security according to a range of risk levels.\n\n    NIST SP 800-60 Volume I, Guide for Mapping Types of Information and Information\n    Systems to Security Categories, provides an overview of the security objectives and impact\n    levels identified in FIPS Publication 199.\n\n    The CBIS security categorization analysis categorizes information processed by the system\n    and its corresponding potential impacts on confidentiality, integrity, and availability. CBIS\n    is categorized with a moderate impact level for confidentiality, integrity, and availability,\n    resulting in an overall categorization of moderate.\n\n    The security categorization of CBIS appears to be consistent with the guidance of FIPS 199\n    and NIST SP 800-60, and the OIG agrees with the categorization of moderate.\n\nIII. Information System Security Plan\n    The completion of an information system security plan (ISSP) is a requirement of OMB\n    Circular A-130 Appendix III, Security of Federal Automated Information Resources. In\n    order to assist agencies in establishing a standardized approach to developing an ISSP, NIST\n    developed SP 800-18 Revision 1, Guide for Developing Security Plans for Federal\n    Information Systems.\n\n    The ISSP for CBIS was created using the template outlined in NIST SP 800-18. The\n    template requires that the following elements be documented within the ISSP:\n\n                                                   4\n\x0c    \xe2\x80\xa2    System Name and Identifier;\n    \xe2\x80\xa2    System Categorization;\n    \xe2\x80\xa2    System Owner;\n    \xe2\x80\xa2    Authorizing Official;\n    \xe2\x80\xa2    Other Designated Contacts;\n    \xe2\x80\xa2    Assignment of Security Responsibility;\n    \xe2\x80\xa2    System Operational Status;\n    \xe2\x80\xa2    Information System Type;\n    \xe2\x80\xa2    General Description/Purpose;\n    \xe2\x80\xa2    System Environment;\n    \xe2\x80\xa2    System Interconnection/Information Sharing;\n    \xe2\x80\xa2    Laws, Regulations, and Policies Affecting the System;\n    \xe2\x80\xa2    Minimum Security Controls;\n    \xe2\x80\xa2    Plan Completion Date; and\n    \xe2\x80\xa2    Plan Approval Date.\n\n    The ISSP for CBIS was prepared in September 2009 and revised in August of 2010 in\n    accordance with the format and methodology outlined in NIST SP 800-18. The CBIS\n    ISSP contains the majority of the elements outlined by NIST SP 800-53 Revision 3 and NIST\n    SP 800-18 Revision 1.\n\nIV. Risk Assessment\n    A risk management methodology focused on protecting core business operations and\n    processes is a key component of an efficient IT security program. A risk assessment is used\n    as a tool to identify security threats, vulnerabilities, potential impacts, and probability of\n    occurrence. In addition, a risk assessment is used to evaluate the effectiveness of security\n    policies and recommend countermeasures to ensure adequate protection of information\n    technology resources.\n\n    As part of the C&A process, ESC conducted a risk assessment of CBIS in September 2009\n    and evaluated the risk of each vulnerability in accordance with NIST SP 800-30 standards.\n    NIST SP 800-30 offers a nine step systematic approach to conducting a risk assessment that\n    includes: (1) system characterization; (2) threat identification; (3) vulnerability identification;\n    (4) control analysis; (5) likelihood determination; (6) impact analysis; (7) risk determination;\n    (8) control recommendation; and (9) result documentation. Fifty-three vulnerabilities were\n    identified during this assessment, and the following was documented for each one:\n    a.   vulnerability description;\n    b.   threat source;\n    c.   existing controls;\n    d.   likelihood, impact, and risk rating; and\n    e.   control recommendations.\n\n    Each of these vulnerabilities was appropriately added to the CBIS Plan of Action and\n    Milestones (POA&M) for tracking purposes (see section IX below).\n\n\n                                                    5\n\x0c V. Independent Security Control Testing\n     A security test and evaluation (ST&E) was completed for CBIS as a part of the system\xe2\x80\x99s\n     C&A process in September 2009. The ST&E was conducted by ESC, an OPM contractor\n     that was operating independently from the OCFO.\n\n     The OIG reviewed the controls tested by ESC to ensure that they included a review of the\n     appropriate management, operational, and technical controls required for a system with a\n     \xe2\x80\x9cmoderate\xe2\x80\x9d security categorization according to NIST SP 800-53 Revision 3, Recommended\n     Security Controls for Federal Information Systems.\n\n     The ST&E labeled each security control as common (inherited from OPM\xe2\x80\x99s IT\n     infrastructure), system-specific, or hybrid. The system specific and hybrid controls were\n     tested as part of this ST&E, whereas the testing of common controls is the responsibility of\n     OPM\xe2\x80\x99s Office of the Chief Information Officer (OCIO).\n\n     ESC tested 171 controls and determined that 19 controls were not adequately implemented.\n     ESC presented a copy of the evaluation results to the OCFO, and each of the identified\n     weaknesses was appropriately incorporated into the CBIS POA&M for tracking purposes.\n\nVI. Security Control Self-Assessment\n     FISMA requires that the IT security controls of each major application owned by a federal\n     agency be tested on an annual basis. In the years that an independent ST&E is not being\n     conducted on a system, the system\xe2\x80\x99s owner must conduct an internal self-assessment of\n     security controls.\n\n     The designated security officer for CBIS conducted a self-assessment of the system in\n     September 2010. The assessment included a review of the relevant management,\n     operational, and technical security controls outlined in NIST SP 800-53 Revision 3.\n     Although the OCFO did not identify any weaknesses in the 150 security controls that were\n     tested, an OIG test of security controls indicated that system weaknesses do exist (see section\n     X, below).\n\nVII. Contingency Planning and Contingency Plan Testing\n     NIST SP 800-34, Contingency Planning Guide for IT Systems, states that effective\n     contingency planning, execution, and testing are essential to mitigate the risk of system and\n     service unavailability. The OPM IT Security and Privacy Policy Volume 2 requires that\n     OPM general support systems and major applications have viable and logical disaster\n     recovery and contingency plans, and that these plans be annually reviewed, tested, and\n     updated.\n\n\n\n\n                                                    6\n\x0c      Contingency Plan\n      The CBIS Disaster Recovery (DR) plan documents the functions, operations, and resources\n      necessary to restore and resume computer operations when unexpected events or disasters\n      occur. The CBIS DR plan is reviewed and updated annually and contains the majority of\n      elements recommended by NIST SP 800-34 guidelines, including:\n      \xe2\x80\xa2   System background information;\n      \xe2\x80\xa2   Concept of operations;\n      \xe2\x80\xa2   Notification/activation phase;\n      \xe2\x80\xa2   Recovery operations; and\n      \xe2\x80\xa2   Procedures to return to normal operations.\n\n      Contingency Plan Test\n      NIST SP 800-34, Contingency Planning Guide for Information Technology, provides\n      guidance for conducting and documenting contingency plan testing. Genuine Contingency\n      plan testing is a critical element of a viable disaster response capability.\n\n      In March of 2010, the OCFO conducted its annual disaster recovery table top test. The test\n      involved discussing the steps of restoring all mission critical functions after a temporary\n      electrical outage. The documentation resulting from the CBIS DR test contains the majority\n      of the items mentioned in the NIST guide including the scope, objectives, participants, and\n      logistics.\n\n      The disaster recovery test summary documented potential problems that were discovered\n      during or at the conclusion of the test. However, one recommendation identified during the\n      2010 DR test has not been added to the CBIS POA&M for tracking purposes (see section IX\n      below).\n\nVIII. Privacy Impact Assessment\n      The E-Government Act of 2002 requires agencies to perform a screening or Privacy\n      Threshold Analysis (PTA) of federal information systems to determine if a Privacy\n      Impact Assessment (PIA) is required for that system.\n\n      OMB Memorandum M-03-22 outlines the necessary components of a PIA. A PIA is used to\n      ensure that no collection, storage, access, use, or dissemination of personally identifiable\n      information occurs that is not needed or authorized. The purpose of the assessment is to\n      evaluate any vulnerabilities of privacy in information systems and to document any privacy\n      issues that have been identified and addressed.\n\n      The OCFO completed the PTA of CBIS and determined that a PIA was required for this\n      system. A PIA was conducted for CBIS in May 2009. Although the CBIS PIA contained the\n      majority of the elements of M-03-22, it did not address several requirements applicable to\n      major information systems, including:\n\n\n\n                                                       7\n\x0c    \xe2\x80\xa2   The consequences of collection and flow of information;\n    \xe2\x80\xa2   The alternatives to collection and handling as designed;\n    \xe2\x80\xa2   The appropriate measures to mitigate risks identified for each alternative; and\n    \xe2\x80\xa2   The rationale for the final design choice or business process.\n\n    This issue was originally identified during the OIG\xe2\x80\x99s 2009 audit of CBIS.\n\n    Recommendation 1 (Roll-forward from OIG Report 4A-CI-00-09-066 Recommendation\n    4)\n    We continue to recommend that all OMB Memorandum 03-22 requirements are incorporated\n    into the CBIS PIA.\n\n    OCFO- FSM Response:\n    \xe2\x80\x9cWe concur with the OIG recommendation. We have addressed the citations that were\n    noted in our recent CBIS PIA. Currently the PIA is under review by the CIO IT Security\n    Office and based upon their approval or proposed actions, we will forward the revised\n    version of [the] CBIS PIA to your office for review no later than April 30, 2011.\xe2\x80\x9d\n\n    OIG Reply:\n    We acknowledge the steps that OCFO has taken to update the CBIS PIA; no further action is\n    required.\n\nIX. Plan of Action and Milestones Process\n    A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and\n    monitoring the progress of corrective efforts for IT security weaknesses. OPM has\n    implemented an agency-wide POA&M process to help track known IT security weaknesses\n    associated with the agency\xe2\x80\x99s information systems.\n\n    The OIG evaluated the CBIS POA&M and verified that it follows the format of OPM\xe2\x80\x99s\n    template, and has been routinely submitted to the OCIO for evaluation. However, we found\n    that security weaknesses identified during CBIS DR testing and reviews conducted by the\n    OIG and KPMG have not been added to the CBIS POA&M.\n\n    Recommendation 2\n    We recommend that the OCFO promptly update the CBIS POA&M to include all known\n    security weaknesses.\n\n    OCFO- FSM Response:\n    \xe2\x80\x9cWe concur with the OIG recommendation and our objective is to develop a centralized\n    toolset and/or utilize CIO\xe2\x80\x99s                               to monitor and track all\n    POA&M\xe2\x80\x99s/CAP regardless of the origin of the finding or recommendation. \xe2\x80\xa6.\n    We also concur that \xe2\x80\xa6 four (4) POA&M\xe2\x80\x99s from the CBIS Disaster Recovery (DR) testing\n    were omitted from the POA&M\xe2\x80\x99s listing but it is being tracked and monitored under the A-\n                                                   8\n\x0c   123 review process. After this review is completed (currently by the Policy and Internal\n   Controls group), we will submit to your attention no later than April 30, 2011.\xe2\x80\x9d\n\n   OIG Reply:\n   Although the OCFO uses a variety of tools to track CBIS security weakness, FISMA requires\n   Federal agencies track all weaknesses using the standard POA&M template developed by the\n   Office of Management and Budget. Use of the standardized POA&M template allows the\n   OCIO to track security weaknesses for all of the agency\xe2\x80\x99s information systems.\n\n   In order to adequately address this recommendation the OCFO must add all known security\n   weaknesses to the CBIS POA&M in addition to any other tracking tools used by the program\n   office.\n\nX. NIST SP 800-53 Evaluation\n   NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information\n   Systems, provides guidance for implementing a variety of security controls for information\n   systems supporting the federal government. As part of this audit, the OIG determined\n   whether a subset of these controls had been adequately implemented for CBIS, including:\n\n   \xe2\x80\xa2   AC-2 Account Management                        \xe2\x80\xa2   IA-2 Identification and Authentication\n   \xe2\x80\xa2   AC-4 Information Flow Enforcement              \xe2\x80\xa2   IA-5 Authenticator Management\n   \xe2\x80\xa2   AC-7 Unsuccessful Login Attempts               \xe2\x80\xa2   IR-6 Incident Reporting\n   \xe2\x80\xa2   AC-8 System Use Notification                   \xe2\x80\xa2   MP-6 Media Sanitization and Disposal\n   \xe2\x80\xa2   AC-11 Session Lock                             \xe2\x80\xa2   CP-9 Information System Backup\n   \xe2\x80\xa2   AC-13 Supervision and Review \xe2\x80\x93 Access          \xe2\x80\xa2   PE-2 Physical Access Authorization\n       Control\n   \xe2\x80\xa2   AT-3 Security Training                         \xe2\x80\xa2   PL-4 Rules of Behavior\n   \xe2\x80\xa2   AU-2 Auditable Events                          \xe2\x80\xa2   PS-4 Personnel Termination\n   \xe2\x80\xa2   AU-3 Content of Audit Records                  \xe2\x80\xa2   PS-7 Third-Party Personnel Security\n   \xe2\x80\xa2   AU-6 Audit Review, Analysis, Reporting         \xe2\x80\xa2   RA-5 Vulnerability Scanning\n   \xe2\x80\xa2   CA-3 Information System Connections            \xe2\x80\xa2   SA-4 Acquisitions\n   \xe2\x80\xa2   CM-2 Baseline Configuration                    \xe2\x80\xa2   SC-10 Network Disconnect\n   \xe2\x80\xa2   CM-6 Configuration Settings                    \xe2\x80\xa2   SI-10 Information Accuracy, Completeness,\n                                                          Validity, and Authenticity\n   \xe2\x80\xa2   CP-6 Alternate Storage Site                    \xe2\x80\xa2   SI-11 Error Handling\n\n   These controls were evaluated by interviewing individuals with CBIS security\n   responsibilities, reviewing documentation and system screenshots, viewing\n   demonstrations of system capabilities, and conducting tests directly on the system.\n\n   Although it appears that the majority of NIST SP 800-53 security controls have been\n   successfully implemented for CBIS, several tested controls were not fully satisfied.\n\n\n\n                                                 9\n\x0ca) (AC-2) Account Management\n\n\n\n\n  NIST SP 800-53 Control AC-2 requires an organization to review, disable, and\n  remove user accounts when necessary.\n\n\n\n\n  Recommendation 3\n  We recommend that the OCFO\n\n\n  OCFO -FSM Response:\n  \xe2\x80\x9cWe concur with the [OIG] recommendation and are currently conducting our\n\n         We also acknowledge\n\n                                                                              A\n  revised account management guide, to include these refined policies, will be\n  forwarded to OIG no later than April 30, 2011.\xe2\x80\x9d\n\n  \xe2\x80\x9cEven though we communicate the risk of\n                                                                         . We\n  recommend that for that situation we will identify a policy and procedures to\n  establish a waiver that [transfers] the risk to the program offices.\xe2\x80\x9d\n\n  OIG Reply:\n  We acknowledge the steps taken by the OCFO to address this issue. In order to fully\n  close this audit recommendation, we recommend that the OCFO provide IOC with\n  evidence that                                             or that the risk was\n  formally accepted by senior management from that user\xe2\x80\x99s program office.\n\n  Recommendation 4\n  We recommend that the OCFO\n\n\n  OCFO-FSM Response:\n  \xe2\x80\x9cWe concur with the [OIG] recommendation and are currently conducting our\n\n\n\n                                         10\n\x0c                      A revised account management guide, to include these refined\n   policies, will be forwarded to OIG no later than April 30, 2011.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the OCFO provide IOC\n   with evidence                                                    .\n\n   Recommendation 5\n   We recommend that the OCFO develop and implement a process to routinely audit\n\n\n   OCFO-FSM Response:\n   \xe2\x80\x9cWe concur with the [OIG] recommendation and we will continue to revise our\n   CBIS account management guide to include the OIG audit recommendations,\n   system enhancements and policies and procedures to improve the security\n   management processes. More specifically, we will routinely review\n                                             We acknowledge that the security oversight\n   for CBIS is                                 and we have made a recommendation to\n   OCFO management to invest into a product similar to\n                     that provides capabilities to assess and alert in cases where\n   security violations have occurred. In the interim, we have developed reports that\n   allow OPM Program Office [RMOs] and the CBIS security team a means to\n   effectively monitor                                  .\n\n   We recommend CBIS users and supervisors submit                              directly to\n   their Program Office RMO to obtain their approval and assist them in monitoring\n   and tracking                                     A revised account management\n   guide, [including] these refined policies, will be forwarded to OIG no later than\n   April 30, 2011.\xe2\x80\x9d\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the OCFO provide IOC\n   with evidence that it has implemented a process to routinely audit\n           s.\n\nb) (AC-5) Segregation of Duties Issue\n   The OCFO developed a policy that describes specific user roles that cannot be\n   assigned to a single individual in conjunction with other roles due to segregation of\n   duty conflicts (e.g., one user having both payables manager and receivables manager\n   roles). We reviewed the active roles of all current CBIS users and determined that\n   191 users had roles that violated the segregation of duties policy.\n\n\n                                           11\n\x0cNIST SP 800-53 Control AC-5 states that system owners must separate duties of\nindividuals as necessary to prevent malevolent activity without collusion. Failure to\nimplement adequate separation of duties increases the risk that malicious activity by\nsystem users remains undetected.\n\nThe OCFO informed the OIG that several of the users that have segregation of duties\nissues have a business need to have conflicting roles. If this is the case, then the\nCBIS segregation of duties policy is not accurate, further indicating that the OCFO\ndoes not have adequate controls regarding segregation of duties. We consider this\nweakness to be a significant deficiency in CBIS\xe2\x80\x99s IT security controls.\n\nRecommendation 6\nWe recommend that the OCFO review (and update if necessary) the CBIS\nsegregation of duties policy to ensure it accurately reflects business requirements.\n\nOCFO-FSM Response:\n\xe2\x80\x9cWe concur with the [OIG] recommendation and we have refined the CBIS\nSegregation of Duties metric table (SoD Metric Table) to be reviewed by OIG. We\nare seeking OIG concurrence and approval to use this refined SoD as a basis for\nthe internal control of user security of reducing the likelihood of fraud by\ndiscouraging collusion. If we receive concurrence, we will advise OPM Program\nOffice [RMOs] and our security team of the newly refined SoD that will assist them\nin validating and executing user access requests accurately.\n\nA revised account management guide, [including] these refined policies, will be\nforwarded to OIG no later than April 30, 2011.\xe2\x80\x9d\n\nOIG Reply:\nWe acknowledge the steps the OCFO has taken to refine the CBIS SoD metric table.\nHowever, the OIG is not in a position to approve the implementation of this new\ntable, as the development of a SoD policy requires a detailed understanding of the\nbusiness requirements specific to the application. Furthermore, the OIG is an\nindependent oversight entity and cannot participate in the development of policies\nand procedures of the program offices we audit.\n\nAs part of the audit resolution process, we recommend that the OCFO provide IOC\nwith evidence that it has updated the CBIS segregation of duties policy.\n\nRecommendation 7\nWe recommend that the OCFO adjust the user roles for the accounts identified as\nhaving segregation of duties violations.\n\n\n\n\n                                         12\n\x0cOCFO-FSM Response:\n\xe2\x80\x9cWe concur with the [OIG] recommendation and are currently conducting our\nsemi-annual user account assessment [for] each OPM program office [of] their\nCBIS users. Utilizing the SoD Metric Table, we are advising OPM Program Office\n[RMOs] where role requests violate security standards and will recommend they re-\nassess requested roles based on the SoD.\n\nWe are aware that this refined policy will cause some concern within OPM\norganizations, so FSM is developing an annual CBIS Security Training Awareness\nto reinforce this and all other policy changes on a routine and continual basis. Any\nsupport from OIG that endorses these newly refined policies is appreciated. A\nrevised account management guide, [including] these refined policies, will be\nforwarded to OIG no later than April 30, 2011.\xe2\x80\x9d\n\n\xe2\x80\x9cFSM assumes the responsibility for administration and execution of user account\nmanagement. As such, we will establish a policy allowing a waiver (in extreme\ncircumstances) to bypass the SoD conflicts. However, this waiver also transfers the\nrisk to the OPM Program Office to ensure that actions performed within the system\nas a result of [the] waiver does not introduce or permit fraudulent transactions and\nuse.\xe2\x80\x9d\n\nOIG Reply:\nAs part of the audit resolution process, we recommend that the OCFO provide IOC\nwith evidence that it has adjusted the user roles for the accounts with segregation of\nduties violations.\n\nRecommendation 8\nWe recommend that the OCFO modify the CBIS system so that technical controls are\nin place to prevent user accounts from being created with segregation of duties\nviolations.\n\nOCFO-FSM Response:\n\xe2\x80\x9cWe partially-concur with the [OIG] recommendation. To retrofit this\nrecommendation would require the purchase of\n                                 has the functionality to determine and alert when\nsecurity violations occur and to monitor system configurations and security set-ups.\nFSM is recommending the purchase of               to CFO leadership for\nconsideration. Upon approval, it will be forwarded to the CBIS Change Control\nBoard and the Executive Steering Committee for review and analysis. In the\ninterim FSM\xe2\x80\x99s Financial Application Management (FAM) Group will continue to\nuse SoD and other reports defined in our account management guidelines to\nmonitor and track SoD violations. We will introduce a change request to both the\nCCB and then ESC for concurrence no later than April 30, 2011.\xe2\x80\x9d\n\n\n                                         13\n\x0c     OIG Reply:\n     As part of the audit resolution process, we recommend that the OCFO provide IOC\n     with evidence that it has implemented technical controls to prevent user accounts\n     from being created with segregation of duties violations.\n\n     Recommendation 9\n     We recommend that the OCFO implement a process to routinely audit all active user\n     accounts to identify accounts that have roles that violate the segregation of duties\n     policy.\n\n     OCFO-FSM Response:\n     \xe2\x80\x9cWe concur with the [OIG] recommendation and we are developing security\n     incident reports to assist the security team and OPM Program Office [RMOs] in\n     conducting more frequent reviews of CBIS user accounts (within their\n     organization) and to also alert when those accounts may violate the approved SOD\n     Metrics. More specifically, we (the CBIS security team) will routinely review user\n     accounts on a quarterly basis and when needed.\n\n     We recommend CBIS users and supervisors submit security access forms directly to\n     their Program Office RMO to obtain their approval and assist them in monitoring\n     and tracking modifications to user accounts. A revised account management\n     guide, [including] these refined policies, will be forwarded to OIG no later than\n     April 30, 2011.\xe2\x80\x9d\n\n     OIG Reply:\n     As part of the audit resolution process we recommend that the OCFO provide IOC\n     with evidence that it is routinely auditing CBIS user accounts to identify segregation\n     of duties violations.\n\nc)\n\n\n\n\n                                             14\n\x0cRecommendation 10\n\n\n\n\nOCFO-FSM Response:\n\xe2\x80\x9cWe concur with the [OIG] recommendation.\n\n\n\n\nOIG Reply:\n\n\n\n\nRecommendation 11\nWe recommend that the appropriate technical modifications be made to CBIS to\n\n\n\n\n                                     15\n\x0cOCFO-FSM Response:\n\xe2\x80\x9cWe partially-concur with the [OIG] recommendation and\n\n\n\n\n                  FSM is recommending the purchase of          to CFO\nleadership for consideration.\n\n\n\n\nOIG Reply:\nWe acknowledge the fact that\n\n\n                            nce the           is complete, we recommend that\nthe OCFO provide IOC with evidence that the\n\n\nRecommendation 12\nWe recommend that the OCFO\n\nOCFO-FSM Response:\n\xe2\x80\x9cWe partially-concur with the [OIG] recommendation\n\n\n\n                                     16\n\x0c          1. Current Active users and assigned responsibilities\n\n\n\n\n                            FSM is recommending the purchase of                    to\n   CFO leadership for consideration.\n\n\n\n\n   OIG Reply:\n   As part of the audit resolution process, we recommend that the OCFO provide IOC\n   with evidence indicating that the program office\n                                                  discussed in Recommendation 10,\n   above.\n\nd) (CM-6) Configuration Settings\n   The OIG conducted vulnerability scans of the           databases supporting CBIS\n   using                                                   scanning tool. The\n   vulnerability scans revealed that the databases contained settings configured in a\n   manner not fully compliant with best practices as defined by\n        Although the technical details of these settings will not be included in this\n   report, the OCFO has been provided with this information.\n\n   NIST SP 800-53 Control CM-6 states that information systems should be configured\n   in a manner that reflect the most restrictive mode consistent with operational\n   requirements.\n\n   Recommendation 13\n   We recommend that the OCFO evaluate the potential configuration weaknesses\n   identified by the OIG and, if necessary, make the appropriate technical modifications.\n\n\n                                           17\n\x0c     OCFO-FSM Response:\n     \xe2\x80\x9cWe do not concur with the [OIG] recommendation. The results of the scan\n     conducted by the OIG were anticipated and expectedly applicable to the CBIS\n     database configuration. The scan conducted by OIG identified [items] \xe2\x80\xa6 required\n     for (and support) the CBIS [application\xe2\x80\x99s] day-to-day operations. \xe2\x80\xa6 As such, we\n     believe we are in compliance with NIST SP 800-53 Control CM-6 as the system is\n     configured in a manner that restricts access based on the operational requirement\n     \xe2\x80\xa6 to support CBIS operations.\xe2\x80\x9d\n\n     OIG Reply:\n     We acknowledge the fact that the configuration settings questioned are required to\n     support CBIS day-to-day operations. No further action is required.\n\ne)\n\n\n\n\n     Recommendation 14\n     We recommend that the OCFO\n\n\n     OCFO-FSM Response:\n     \xe2\x80\x9cWe concur with the [OIG] recommendation and are currently conducting our\n\n\n\n\n     FAM will ensure that the processes\n\n                    A revised account management guide, [including] these refined\n     policies, will be forwarded to OIG no later than April 30, 2011.\xe2\x80\x9d\n\n                                            18\n\x0cOIG Reply:\nAs part of the audit resolution process, we recommend that the OCFO provide IOC\nwith evidence indicating\n\n\nRecommendation 15\nWe recommend that the OCFO implement a process\n\n\nRecommendation 16\nWe recommend that the OCFO implement a procedure to\n\n                                                                               .\n\nOCFO-FSM Response:\n\xe2\x80\x9cWe concur with the [OIG] recommendation. FAM will request that CIO provides\nthe CBIS security team\n\n              Upon implementation of this process, we will notify the OPM\nProgram Office [RMOs] that they\n\n\nWe will forward a revised account management guide that includes these refined\npolicies for review no later than April 30, 2011.\xe2\x80\x9d\n\nOIG Reply:\nWe agree that the OCFO\xe2\x80\x99s plan to use the\n\n                       owever, the intent of Recommendations 15 and 16 is to\nimplement both\n\n\n\n\n                                      19\n\x0c                            Major Contributors to this Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                    , Senior Team Leader\n\xe2\x80\xa2               , Auditor In Charge\n\n\n\n\n                                              20\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c'